Si₃TcH / ArraKISS

(auto-hébergement, physique-chimie, enseignement, code, logiciel-libre, notes, crêpes, ...)

Outils de la page

nono : say "no no" to intruders

Download nono.tgz

This is a tool to parse logs and ban ip when they have inappropriate behaviour.

First, you need to setup pf and create a table of banned ip :

block in quick on egress from <bot> to any

If you don't want to run nono as root (it's probably better), create a dedicated user:

# useradd -s /sbin/nologin -m -d /var/empty _nono

Then, setup doas so _nono don't need to enter its password :

permit nopass _nono cmd /sbin/pfctl

Once ready, you can pipe with tail -f any logs to nono:

tail -f /var/log/authlog /var/log/maillog | nono.awk

An example is included. It can be started at boot in /etc/rc.local or edit root's crontab :

# crontab -e
@reboot /usr/local/bin/


Set options with flags -v var=something. Available options are:


You may want to set a cron task to release IP after some time :

pfctl -t bot -T expire "$(( 60 * 60 * 24 * $EXPIRE_DAYS ))"


Previous attempt to build such tool was named vilan :

Original idea by solene :